HKU\S-1-5-21-....

Hi . Since thursday , when I ran a malwarebytes full scan, mbam found this thing “PUP.Optional.ConduitTB.Gen”, its type : Registry key , and its location which is the most weird and i’ve not even found it to this day : "HKU\S-1-5-21-…-…-…-1003\SOFTWARE\Conduit . Malwarebytes says it’s pup ( potential unwanted program ) , but for real . Every time I put it to quarantine and delete it, this virus ( thing ) it shows up again next day , maybe next hour after the removal .
Here is one log from Threat Scan : Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 05.03.2016
Scan Time: 01:17
Logfile:
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2016.03.04.05
Rootkit Database: v2016.02.27.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: Andreiii

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 337546
Time Elapsed: 3 min, 0 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 1
PUP.Optional.ConduitTB.Gen, HKU\S-1-5-21-2785295504-2673479696-1846757279-1003\SOFTWARE\Conduit, Quarantined, [62631271cacf0b2b9249c1b99f659769],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

Do any of you know how to get rid of this ? Oh , I have to mention that in this time I’ve reinstalled the windows as well , but only quick formatting the SSD , not the HDDs.

Attach your basic diagnostic logs. (MBAM, FRST and aswMBR)
Instructions: https://forum.avast.com/index.php?topic=53253

Here is everything you asked for . FRST + Addition , aswMBR and another one from MBAM . I hope all the logs can be seen and are approximately OK …

OK, now you’ve to wait a bit…

Try this

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.

Ahmm… So I’ve downloaded AdwCleaner and after the scan, it says something strange somehow and that is that my computer is safe … You what mate ? Here is the message it displays after the scan : " AdwCleaner found no malicious program on your computer !"
So ? What now ? I mean, I read on the Internet about that HKU\S-1-5-21 and it says that is quite harmful for the PC , including things like keylogger, a downgrade of the pc peformance, and so on …
Oh, and if you ask yourself if the scan was made without any programs running in the same time , yes it was, i’ve closed everything from steam, chrome to my mouse/keyboard drivers.

Sorry for double posting, but even in the situation of seeing that message, I ran a scan again, of course it didn’t find anything, but I pressed on Clean and i’ve restarted the PC. Here is the log .

I read on the Internet about that HKU\S-1-5-21 and it says that is quite harmful for the PC
No not dangerous, just a annoying toolbar PUP.Optional.[b]ConduitTB[/b] = Conduit Tool Bar

It is not showing in any log… Navigate to this key and see if it present

HKU\S-1-5-21-2785295504-2673479696-1846757279-1003\SOFTWARE\Conduit

OK … 1st of all : @Pondus : I don’t understand what you wanted to say …
2nd of all : I’ve used once again adwcleaner this time after a restart and a MBAM threat scan where, once again MBAM found that PUP, but this time i didn’t remove it and didn’t click finish from mbam so I can use ADWCleaner . Here is the log .
And finally , essexboy how can i navigate to it ? I went to regedit and then to HKEY_USERS . There i have more things “>.DEFAULT | >S-1-5-18 | >S-1-5-19 | >S-1-5-20” and of course 2 more with the name of the location but without “HKU” so at HKEY_USERS I have as well “>S-1-5-21-2785295504-…-…-1003”
It has a subfolder named SOFTWARE , but SOFTWARE doesn’t contain a subfolder Conduit so… Yeah … This is the weirdest virus or whatever it is , that i’ve ever had …

@Pondus : I don't understand what you wanted to say ...
EDITED ... Read my post again

OK reboot and see if it returns

It is doing no harm to your computer and is inactive

Yes, it’s still here… Should I reinstall the windows again, but this time erase everything on my SSD and HDD too ?

hey andrei41 i suggest you go to this guide and post a frst scan+addation and let essexboy have a look at the computer.

https://forum.avast.com/index.php?topic=53253.0

don’t throw in the towel just yet folow the guide above and post the log.

Here you have them, even if I’ve already posted them yesterday …

OK we will try a manual removal… But, there is no danger with this registry key it is harmless

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: Reg: reg delete HKU\S-1-5-21-2785295504-2673479696-1846757279-1003\SOFTWARE\Conduit /f

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

Ok . Before I do this I want to know something, if I do what you said there, is there any risk to break my computer, as you said ? And how ? :o
One more thing . I’ve got a little problem with the memory usage, I went to task manager and it says that “System” is using ~200MB , which is quite high because in the first/two hours it only uses around 50MB , can you tell me why ?

This fix is for your computer only, use it on another computer and it may break… Your computer is safe :slight_smile:

Windows will use as much memory as possible, otherwise why have it

Yea… It says it was unable to find that registry key …

Edit: I tried once again after a restart and there you have it : ( second one )

Is MBAM now still finding it